package router

import (
	"fleetmanager/api/controller/user"
	"fleetmanager/api/errors"
	model_user "fleetmanager/api/model/user"
	"fleetmanager/api/response"
	"fleetmanager/db/dao"
	"github.com/beego/beego/v2/server/web"
	"net/http"

	"github.com/beego/beego/v2/server/web/context"
)

// 用于接口权限控制
func initCommon() {

	// 当前权限控制 Fleet 伸缩策略 别名 日志 应用包 实例规格组 事件
	// pattern中通配符只支持一层路径
	web.InsertFilter("/v1/:project_id/user/swr-organization", web.BeforeExec, filterReadOnlyUser)

	web.InsertFilter("/v1/:project_id/aliases*", web.BeforeExec, filterReadOnlyUser)

	web.InsertFilter("/v1/:project_id/builds", web.BeforeExec, filterReadOnlyUser)
	web.InsertFilter("/v1/:project_id/builds/*", web.BeforeExec, filterReadOnlyUser)
	web.InsertFilter("/v1/:project_id/image-builds", web.BeforeExec, filterReadOnlyUser)

	web.InsertFilter("/v1/:project_id/fleets", web.BeforeExec, filterReadOnlyUser)
	web.InsertFilter("/v1/:project_id/fleets/*", web.BeforeExec, filterReadOnlyUser)
	web.InsertFilter("/v1/:project_id/fleets/:fleet_id/*", web.BeforeExec, filterReadOnlyUser)
	web.InsertFilter("/v1/:project_id/monitor-fleets", web.BeforeExec, filterReadOnlyUser)
	web.InsertFilter("/v1/:project_id/monitor-fleets/*", web.BeforeExec, filterReadOnlyUser)

	web.InsertFilter("/v1/:project_id/fleets/:fleet_id/scaling-policies", web.BeforeExec, filterReadOnlyUser)
	web.InsertFilter("/v1/:project_id/fleets/:fleet_id/scaling-policies/*", web.BeforeExec, filterReadOnlyUser)

	web.InsertFilter("/v1/:project_id/lts-access-config", web.BeforeExec, filterReadOnlyUser)
	web.InsertFilter("/v1/:project_id/lts-transfer", web.BeforeExec, filterReadOnlyUser)
	web.InsertFilter("/v1/:project_id/lts-log-group", web.BeforeExec, filterReadOnlyUser)
	web.InsertFilter("/v1/:project_id/lts-transfer", web.BeforeExec, filterReadOnlyUser)

	web.InsertFilter("/v1/:project_id/resource-specification", web.BeforeExec, filterReadOnlyUser)
	web.InsertFilter("/v1/:project_id/resource-specification/*", web.BeforeExec, filterReadOnlyUser)
	web.InsertFilter("/v1/:project_id/event", web.BeforeExec, filterReadOnlyUser)
	web.InsertFilter("/v1/:project_id/event/*", web.BeforeExec, filterReadOnlyUser)
	web.InsertFilter("/v1/:project_id/topic", web.BeforeExec, filterReadOnlyUser)
	web.InsertFilter("/v1/:project_id/topic/subscriptions/*", web.BeforeExec, filterReadOnlyUser)
}

// 对非GET接口进行管理员身份确认
func filterReadOnlyUser(ctx *context.Context) {
	token := ctx.Input.Header("Auth-token")
	claim, err := user.ParseToken(token)
	if err != nil {
		response.Error(ctx.Input.Context, http.StatusUnauthorized,
			errors.NewErrorF(errors.Unauthorized, "Parse token error"))
		return
	}
	if ctx.Input.Method() == "GET" {
		return
	}
	userinfo, err := dao.GetUser().Get(dao.Filters{"id": claim.UserId})
	if err != nil {
		response.Error(ctx.Input.Context, http.StatusBadRequest,
			errors.NewErrorF(errors.InvalidUserinfo, "user does not exist"))
		return
	}
	if userinfo.UserType < model_user.Sub_Admin {
		response.Error(ctx.Input.Context, http.StatusForbidden,
			errors.NewErrorF(errors.NoPermission, "current user is read-only user!"))
		return
	}
}
